CMS says ACA data hub is secure; Republicans voice doubts

With time ticking before President Obama’s Affordable Care Act (ACA) is launched on Oct. 1, 2013, the Centers for Medicare & Medicaid Services (CMS) confirmed that the Data Services Hub (Hub) used to determine eligibility for federal subsidies is capable of protecting patient data. However, during Wednesday’s House of Representatives subcommittee hearing on cybersecurity, there were divergent perspectives on the Hub’s readiness.

Whether enrolled patients’ data would truly be safe and secure was a major point of contention for the Office of Inspector General (OIG) this summer. The OIG released a report stating its concerns in August when the government said testing had been delayed and it wasn’t sure when the system’s safeguards would be finalized, leaving the door open for it to take until September 30.

OIG was worried that since a planned CMS Security Control Assessment (SCA) had been postponed three times and eventually was completed on August 23, there would be less time to determine the quality of the Hub’s data security features before the October 1 launch. But CMS said that the Hub received an authorization to operate on September 6 and similar to other data hubs, security will be evaluated on a continual basis. Specifically, CMS said it plans on periodically reviewing security through independent penetration testing, automated vulnerability scans, system configuration monitoring, and active web application scanning.

The integrity of patient data is especially critical given the Hub will have personally identifiable data (PII) such as Social Security numbers and immigration statuses running through it. According to the CMS news release, CMS and the Department of Health and Human Services (HHS) will use several protection layers to learn about security incidents quickly and efficiently. In addition to internal system monitoring, the government will have incident response features in the system.

If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents. This allows CMS and the Department of Health and Human Services (HHS) to quickly identify security incidents and ensure that the relevant law enforcement authorities, such as the HHS Office of Inspector General Cyber Crimes Unit, are notified for purposes of possible criminal investigation.

CMS said that the Hub will adhere to “federal statutes, guidelines and industry standards that ensure the security, privacy, and integrity of systems and the data that flows through them.” This includes the Privacy Act of 1974, the Computer Security Act of 1987, and the Federal Information Security Management Act of 2002.

Republicans incredulous on security features

While CMS did beat the buzzer in getting security clearance for the Hub, not everyone in Washington believes that all security flaws have been ironed out at this point. “They got a very late start on this, and then they cut corners — and they knew they were cutting corners — to meet their deadlines,” Michael Astrue, a Republican and former head of the Social Security Administration said, according to the Washington Post. “Whenever you are doing something quick and dirty, the price you pay is problems down the road.”

But Rep. Yvette D. Clarke of New York, the ranking Democrat on the panel, said the doom-and-gloom Hub claims about the hub aren’t consistent with what the Hub will actually do, according to the Washington Times. “The data services hub is not a database,” she said. “It will not function as a database. It will not contain health care records.” The Times added that the Hub’s final details are not yet concrete.